Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
13273
Total
879
Critical
3861
High
4208
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-4330 | MEDIUM | 4.3 | The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and … | Apr 08, 2026 |
| CVE-2026-5508 | MEDIUM | 6.4 | The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wowpress` shortcode in all versions up to, and including, 1.0.0. This … | Apr 08, 2026 |
| CVE-2026-5506 | MEDIUM | 6.4 | The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wave` shortcode in all versions up to, and including, 0.2.6. This … | Apr 08, 2026 |
| CVE-2026-5169 | MEDIUM | 4.4 | The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Form Header' field in versions up to … | Apr 08, 2026 |
| CVE-2026-5167 | MEDIUM | 5.3 | The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions … | Apr 08, 2026 |
| CVE-2026-4871 | MEDIUM | 6.4 | The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' attributes of the `scm_member_data` shortcode in all … | Apr 08, 2026 |
| CVE-2026-4808 | HIGH | 7.2 | The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function … | Apr 08, 2026 |
| CVE-2026-4338 | HIGH | 7.5 | The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts | Apr 08, 2026 |
| CVE-2026-4141 | MEDIUM | 4.3 | The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing … | Apr 08, 2026 |
| CVE-2026-3781 | MEDIUM | 5.4 | The Attendance Manager plugin for WordPress is vulnerable to SQL Injection via the 'attmgr_off' parameter in all versions up to, and including, 0.6.2. This is … | Apr 08, 2026 |
| CVE-2026-3618 | MEDIUM | 6.4 | The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [print_clmns] shortcode in all versions … | Apr 08, 2026 |
| CVE-2026-3594 | MEDIUM | 5.3 | The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST … | Apr 08, 2026 |
| CVE-2026-3535 | CRITICAL | 9.8 | The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function … | Apr 08, 2026 |
| CVE-2026-3480 | MEDIUM | 6.5 | The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action … | Apr 08, 2026 |
| CVE-2026-3477 | MEDIUM | 5.3 | The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfm_user_request_action_callback() function, registered via … | Apr 08, 2026 |
| CVE-2026-3142 | MEDIUM | 6.4 | The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_var' parameter in versions up to, … | Apr 08, 2026 |
| CVE-2026-2838 | MEDIUM | 4.4 | The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘woowhole_success_msg’ parameter in all versions up to, and … | Apr 08, 2026 |
| CVE-2025-1794 | MEDIUM | 5.4 | The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due … | Apr 08, 2026 |
| CVE-2026-5083 | MEDIUM | 5.3 | Ado::Sessions versions through 0.935 for Perl generates insecure session ids. The session id is generated from a SHA-1 hash seeded with the built-in rand function, … | Apr 08, 2026 |
| CVE-2026-5082 | MEDIUM | 5.3 | Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generate_session_id function will attempt to read bytes from the /dev/urandom device, … | Apr 08, 2026 |
| CVE-2026-3311 | MEDIUM | 6.4 | The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting … | Apr 08, 2026 |
| CVE-2026-33273 | MEDIUM | 4.7 | Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be … | Apr 08, 2026 |
| CVE-2026-27787 | MEDIUM | 5.4 | Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser … | Apr 08, 2026 |
| CVE-2026-24913 | HIGH | 8.8 | SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information stored in the database may be obtained or altered … | Apr 08, 2026 |
| CVE-2026-4785 | MEDIUM | 6.4 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the … | Apr 08, 2026 |